Module 2: Threat Management & Cybersecurity Resources

Question 1

What is the goal of Threat Management?

Answer 1

To take the appropriate steps needed to minimize hostile cyber actions; “what threat can take advantage of a vulnerability to bypass our defenses, & how can we prevent it?”

Question 2

What is the First Step in Threat Management?

Answer 2

Test the defenses to find any weaknesses

Question 3

What is Penetration Testing?

Answer 3

Atempts to exploit vulnerabilities just as a threat actor would

Question 4

How does Penetration Testing help with exposing vulnerabilities?

Answer 4

1) Helps to uncover new vulnerabilties
2) Provides a clear picture of their nature
3) Determines how they could be used against the organization

Question 5

What does studying Penetration Testing involve?

Answer 5

• Defining what it is & why such a test should be conducted
• Examining who should perform the tests & the rules for engagement
• Knowing how to perform a penetration test

Question 6

What is the First Step in a pen test?

Answer 6

Planning!

Question 7

Why conduct a pen test, as opposed to a scan?

Answer 7

While a scan of network defense can help find vulnerabilities, the type of vulnerabilities revealed is different from a pen test

• Scan usually only finds surface problems to be addressed
• Many scans ar entirely automated & provide only a limited verification of any discovered vulnerabilities, while a pen test can find deep vulnerabilities

Question 8

What are pros & cons or hiring Internal Employess to perform pen testing?

Answer 8

Pros:
- There is little or no additional cost
- The test can be conducted much more quickly
- An in-house pen test can be used to enhance the training of employees & raise the awareness of security risks

Cons:
- Inside Knowledge - would have an in-depth knowledge of the network & devices (threat actors would not have the same knowledge)
- Lack of Expertise - employees may not have the credentials needed to perform a pen test
- Reluctance to Reval - may be reluctant to reveal a vunerability discovered in a network or system that they or a fellow employee has been charged w/ protecting

Question 9

Who is on the Red Team & what do they do?

Answer 9

Role: Attackers

Duties: Scans for vulnerabilities & then exploits them

Explanation: Has prior & in-depth knowledge of existing security, which may provide an unfair advantage

Question 10

Who is on the Blue Team & what do they do?

Answer 10

Role: Defenders

Duties: Monitors for Red Team attacks & shores up defenses as necessary

Explanation: Scans log files, traffic analysis, & other data to look for signs of an attack

Question 11

Who is on the White Team & what do they do?

Answer 11

Role: Referees

Duties: Enforces the rules of the penetration testing

Explanation: Makes note of the Blue Team’s responses & Red Team’s attacks

Question 12

Who is on the Purple Team & what do they do?

Answer 12

Role: Bridge

Duties: Provides real-time feedback b/t the Red & Blue Teams to enhance the testing

Explanation: The Blue Team receives information that can be used to prioritize & improve their ability to detect attacks while the Red Team learned more about technologies & mechanisms used in the defense

Question 13

What are the advantages & disadvantages of hiring an External Pen Testing Consultant?

Answer 13

Pros:
1) Expertise
2) Credentials
3) Experience
4) Focus

Cons:
1) May receive extremely sensitive information about systems & how to access them
2) This knowledge could be sold to a competitor

Question 14

What are the Penetration Testing Levels?

Answer 14

1) Black Box
2) Gray Box
3) White Box

Question 15

Describe the Black Box pen testing level?

Answer 15

Testers have no knowledge of the network & no special privileges

Task: Attempt to penetrate network

Pro: Emulate exactly what a threat actor would do & see

Con: If testers cannot penetrate the network, then no test can occur

Question 16

Describe the Gray Box pen testing level?

Answer 16

Testers are given limited knowledge of the network & some elevated privileges

Task: Focus on systems w/ the greatest risk & value to the organization

Pro: More efficiently assess security instead of spending time trying to compromise the network & then determining which systems to attack

Con: This head start does not allow testers to truly emulate what a threat actor may do

Question 17

Describe the White Box pen testing level?

Answer 17

Testers are given full knowledge of the network & the source code of applications

Task: Identify potential points of weakness

Pro: Focus directly on systems to test for penetration

Con: This approach does not provide a full picture of the network’s vulnerabilities

Question 18

What are the Advantages of Crowdsourced pen tester?

Answer 18

• Fast testing, resulting in quicker remediation of vulnerabilities
• Ability to rotate teams so different individuals test the syste m
• Option of conducting multiple pen tests simultaneously

Question 19

What are the Rules of Engagement?

Answer 19

Pen testing’s limitations or parameters

Question 20

What happens to a pen test if there are no parameters?

Answer 20

W/o parameters, a pen test can easily veer of course & not accomplish the desired results, take too long to produce timely results, or test assets that are not necessary to test

Question 21

What are the Categories for Rules of Engagement (7)?

Answer 21

1) Timing
2) Scope
3) Authorization
4) Exploitation
5) Communication
6) Cleanup
7) Reporting

Question 22

What is the Timing Category for ROE?

Answer 22

• The timing parameter sets when the testing will occur
• Some considerations include: the start & stop dates of the test & should the action portions of the pen test be conducted during normal business hours; or if a vulnerability requires immediate attention
  o Could cause unforeseen interruptions to normal activities
  o After business hours or only on weekends

Question 23

What is the Scope Category for ROE?

Answer 23

• Scope is what should be tested
• involves several elements that define the relevant test boundaries
• Environment (live production)
• Internal Targets (must be clearly identified for external 3rd-party gray box test or white box test)
• External Targets (testing a service or app hosted by a 3rd-party)
• Target Locations (r/t laws among states, provinces, & countries)
• Other Boundaries (additional to tech boundaries - physical security? limiting targets? limits spear phishing messages?)

Question 24

What is the Authorization Category for ROE?

Answer 24

• Authorization is the receipt of prior written approval to conduct the pen test
  o A formal written document must be signed by all parties before a pen test begins

Question 25

What is the Exploitation Category for ROE?

Answer 25

• The exploitation level is a pen test should be part of the scope that is discussed in the planning stages

Question 26

What is the Communication Category for ROE?

Answer 26

• Pen tester should communicate w/ the organization during the following occasions:

o Initiation – once started, organization should be notified that the process has begun
o Incident Response – critical gap in security structure has been identified if pen tester can complete initial vulnerability assessment w/o triggering the organization’s incident response mechanism
o Status – provide periodic status reports instead of waiting until pen test is completed
o Emergency – critical vulnerability should immediately be reported to organization’s management while pen test is paused

Question 27

What is the Cleanup Category of the ROE?

Answer 27

• Pen tester must ensure that everything r/t pen test has been removed
• Should be clearly outlined in the rules of engagement
• Cleanup involves removing all software agents, scripts, executable binaries, temporary files, & backdoors from all affected systems
• Any credentials that were changed should be restored & any usernames created should be removed

Question 28

What is the Cleanup Category of the ROE?

Answer 28

• Once the pen test is completed, a report should be generated to document its objectives, methods used, & results
• The report should be divided into two parts based on 2 separate audiences:
  o 1) Executive summary - designed for a less technical audience
  o 2) A more technical summary written for security professionals

Question 29

What are the 2 Phases of Performing a Pen Test?

Answer 29

1) Reconncaissance
2) Penetration

Question 30

What happens during the Reconnaissance Phase of Penetration Testing?

Answer 30

• First task is of black box & gray box tester is to perform preliminary information gathering from outside the organization (called footprinting)
• Information can be gathered using 2 methods:
  o 1) Active Reconnaissance – involves directly probing for vulnerabilities & useful information
   War driving – searching for wireless signals from an
  automobile or on foot while using a portable device

o 2) Passive Reconnaissance – tester uses tools that do not raise any alarms
 May include searching online for publicly accessible information called open source intelligence (OSINT) that can reveal valuable insight about the system

Question 31

What is Footprinting?

Answer 31

Perform preliminary information gathering from outside the organization

Question 32

What is the 2nd Phase of Penetration Testing?

Answer 32

Penetration!

Pen test is intended to simulate the actions of a threat actor
* “What do threat actors do when they uncover a vulnerability through reconnaissance?”

Question 33

What are the steps of Penetration during the 2nd Phase of Pen Testing?

Answer 33

1) Threat actors first conduct reconnaissance against the systems, looking for vulnerabilities.
2) When a path to a vulnerability is exposed, they gain access to the system through the vulnerability.
3) Once initial access is gained, threat actors attempt to escalate to more advanced resources that are normally protected from an app or user (privilege escalation)
4) W/ the advanced privileges, threat actors tunnel through the network looking for additional systems they can access from their elevated position (lateral movement)
5) Threat actors install tools on the compromised systems to gain even deeper access to the network.
6) Threat actors may install a backdoor that allows them repeated & long-term access to the system in the future. The backdoors are not r/t the initial vulnerability, so access remains even if the initial vulnerability is corrected.
7) Once the backdoor is installed, threat actors can continue to probe until they find their ultimate target & perform their intended malicious action, such as stealing (Researcher & Development) R&D information, password files, or customer credit cards.

Question 34

What lessons are to be learned about how threat actors work during pen testing?

Answer 34

o When a vulnerability is discovered, the work is not finished
o Pen tester must determine how to pivot (turn) to another system using another vulnerability to continue moving toward the target
o Vulnerabilities that are not part of the ultimate target can still provide a gateway to the target
 No vulnerability is insignificant
o Pen tests are manual; therefore, a pen tester needs to design attacks carefully
o Pen testers must be patient & persistent, just like the threat actors

Question 35

What is a Vulnerability Scan?

Answer 35

A frequent & ongoing process that continuously identifies vulnerabilities & monitors cybersecurity progress (new car)

Cyclical process of ongoing scanning & continuous monitoring to reduce the attack surface

Question 36

Conducting a vulnerability scan involves?

Answer 36

o Knowing what to scan & how often
o Selecting a type of scan &
o Interpreting vulnerability information

Question 37

What are 2 primary reasons for not conducting around-the-clock vulnerability scans?

Answer 37

Workflow interruptions
Technical constraints

Question 38

What are the types of Vulnerability Scans?

Answer 38

1) Credentialed Scan
2) Non-credentialed scan
3) Intrusive scan
4) Nonintrusive scan

Question 39

How are a Credentialed & Non-credentialed scan different?

Answer 39

Credentialed Scan -
* Valid authentication credentials are supplied to the vulnerability scanner to mimic the work of a threat actor who possesses these credentials
o Ex: usernames & passwords
 2) Non-credentialed Scan –
* Provides no such authentication information

Question 40

How are an Intrusive scan & Nonintrusive scan different?

Answer 40

Intrusive Scan –
* Attempts to employ any vulnerabilities that it finds, like a threat actor would

 2) Nonintrusive Scan –
* Does not attempt to exploit the vulnerability but only records that it was discovered

Question 41

What is Mitre Common Vulnerabilities and Exposure (CVE)?

Answer 41

Identifies vulnerabilities in operating systems & application software
o Most popular vulnerability feed

Question 42

What is the Common Vulnerability Scoring System (CVSS)?

Answer 42

Numerical score generated using a complex formula that considers variables such as the access vector, attack complexity, authentication, confidentiality of the data, & the system’s integrity & availability
o Vulnerabilities with the highest CVSS scores are generally considered to require early attention
o The vulnerabilities w/ the higher CVSS scores may not always be the ones that should be addressed first
o Look at the scores & the entire vulnerability scan in the context of the organization

Question 43

What are the 2 Data Management Tools used for collecting & analyzing this data?

Answer 43

 1) Security Information and Event Management (SIEM) -
* Consolidates real-time security monitoring & management of security information w/ analysis & reporting of security events
* Product can be a separate device, software that runs on a computer, or even a service provided by a third party

 2) Security Orchestration, Automation, and Response (SOAR)
* Similar to SIEM in that it is designed to help security teams manage & respond to very high # of security warnings & alarms
* However, SOARs combine more comprehensive data gathering & analytics in order to automate incident response

Question 44

What are the 6 features does SIEM have?

Answer 44

1) Aggregation
2) Correlation
3) Automated alerting & triggers
4) Time synchronization
5) Event duplication
6) Logs